SSLPeerUnverifiedException while using self signed SSL certificate

Question

I have create a slef-signed SSL certificate for testing purpose. It works fine when I open https://localhost from browser and now I am following this guide for adding my own TrustManager in Android.

When I try to connect to server using IP address of my machine it throws

javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.10.3 not verified:

While I was able to solve it using HostnameVerifier

HostnameVerifier hostnameVerifier = new HostnameVerifier() {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
        return hostname.trim().equals("192.168.10.3") || hv.verify(hostname, session);
    }
};

but still I want to know what am I missing here? Am I still configuring it properly by using custom HostnameVerifier? Here is the output of my certificate

I/System.out: ca=C=PK, L=Islamabad, O=Self, OID.1.2.840.113549.1.9.1=#16176D616C6C617564696E71617A6940676D61696C2E636F6D, CN=https://192.168.10.3

I am running openssl server by using following command

openssl s_server -key rsa.key -cert allaudin.pem -accept 4000 -WWW

refer to this question and answers http://stackoverflow.com/questions/29539408/using-ip-address-for-common-name-in-server-certificate-does-not-work-in-android — nandsito, Apr 16 '17 at 20:02
Try using the IP in a SAN field of the certificate or in the dNSName field, instead. I'm pretty sure one of these worked for me in the past. Post if it works and I'll convert this to an answer. — Warren Dew, Apr 17 '17 at 00:23

holi-java · Answer 1 · 2017-04-18T14:58:35.613

You can using Alternative Names for IP Address in self-signed SSL Certificate file.

There is a bash file that I have wrote on github to generate self-signed certificate within alternative names, you can copy the openssl.cnf and customize your openssl config. if want to using an existing private key, the bash file should be this:

#!/bin/bash
KEY_FILE="server.key"
#######################################################
## Remove all generated files                        ##
#######################################################

rm -f  server.crt keystore.p12 keystore.jks

#######################################################
## generate x509 certificate                         ##
#######################################################

openssl req -new -x509 -key $KEY_FILE -sha256 -out server.crt -days 730 -config openssl.cnf
openssl x509 -in server.crt -text -noout

#######################################################
## adding self-signed certificate into jks key store ##
#######################################################

PASSWORD="password"
openssl pkcs12 -export -name test -in server.crt -inkey $KEY_FILE -out keystore.p12 -password "pass:$PASSWORD"
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstorepass $PASSWORD -srcstoretype pkcs12 -alias test -storepass $PASSWORD

#######################################################
## Remove pkcs12 keystore                            ##
#######################################################
rm -f keystore.p12

using openssl x509 -in **.crt -text -noout to see whether having alternative names in self-signed certificate file. the alternative names in server.crt are:

X509v3 Subject Alternative Name:
        IP Address:127.0.0.1

AND having a TestCase according to Android unknown certificate authority has been wrote in java8 & junit5, if you want to test in Android you need make some transformations.

@mallaudin The TestCase failed in android? I'm not having installed Android Environment in my computer. you can copy the TestCase and runing it in Android. — holi-java, Apr 18 '17 at 10:43
@mallaudin you can using `openssl x509 -in **.crt -text -noout` to see whether having alternative names in a certificate file. — holi-java, Apr 18 '17 at 10:46
@mallaudin you can find and download all of the files on [github](https://github.com/holi-java/api-test/commit/04d0054745f1ea5cd2095d86de2eea7c957cc5b1). and all of the test s is passed in java Platform, I think it could pass in Android. — holi-java, Apr 18 '17 at 11:11
@mallaudin you can see more details in [openssl.cnf](https://github.com/holi-java/api-test/blob/master/src/test/resources/openssl.cnf#L22-L28). the selection rows is how to config alternative names in certificate. adding alternative names you must use a config file. — holi-java, Apr 18 '17 at 14:41

SSLPeerUnverifiedException while using self signed SSL certificate

1 Answers1